Undercover theft prevention

Dave Schroeder das at doit.wisc.edu
Tue Nov 14 07:01:13 PST 2006 

On Nov 14, 2006, at 8:18 AM, Ashley Aitken wrote:

> So who has (and who hasn't) set their firmware password on their  
> Mac laptop (I see less of an issue with a desktop)?

*Pictures this thread devolving into 45000 people saying whether or  
not they have a firmware password set with little useful information  
about why this is the case* ;-)

> Personally, I've never really considered it.
>
> Alternatively, who uses FileVault on their laptop for data security?
>
> Personally, I've never really considered that either (too much data  
> and probably too little worth to anyone but me).
>
> Cheers,
> Ashley.

Well, on a laptop (or any machine), if someone has already stolen it,  
any thief who can even remotely use Google and has two brain cells to  
rub together will find out how to remove the firmware password. Or,  
they'll sell it (and that person will sell it, etc etc.), and it will  
eventually get to someone who knows how to remove the firmware  
password. But that person is probably not after your data, in the  
same way the thief who stole the VA laptops with millions of names  
and social security numbers worth God knows how much on the black  
market probably didn't know/care about that data - just about  
stealing the laptop.

In any event, once someone has physical access to a machine, they own  
it and all your (unencrypted) data, and will always be able to defeat  
any firmware passwords, etc.

The ONLY way to protect your data, if that's what you're concerned  
about in the event of theft or inappropriate use without your  
knowledge, is encryption. Period. (A little more information: if  
someone were able to crack a password using brute force (which is  
possible to probably under a wide variety of conditions and depending  
how and where the same password as your user account password is  
stored), they'd then have the capability to access FileVault- 
protected data. An example of this would be a password stored for  
NTLM authentication, or a legacy shadow password.)

The things a firmware password is appropriate for is public/lab/ 
shared settings, or settings where you suspect that someone may try  
to casually use your computer without your knowledge for some reason  
(roommate who wants to break into your computer, but wouldn't go so  
far as to cut locks and open cases). A firmware password is NOT a  
theft deterrent, and NOT a mechanism of data protection. That said,  
there's certainly no harm in using one.

I do not use one on any of my machines because:

1.) They're in trusted environments
2.) I find it extremely annoying that I can't boot into single user  
mode or boot into target disk mode when I need/want to. If it  
prompted for the password for any of these events, I'd probably have  
one set. Currently, the only boot-modifier event for which it prompts  
for a password is holding the option key to select boot volume.  
Everything else is ignored.

If you never need to use single user mode or target disk mode or boot  
from CD on a routine basis, or don't mind disabling the firmware  
password every time you want to do something, go for it.

- Dave

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2380 bytes
Desc: not available
Url : /mailman/archive/macosx-talk/attachments/20061114/7b6f67ac/smime.bin

More information about the MacOSX-talk mailing list